FileVault Recovery Key Redirect

Template

FileVault full-volume encryption (FDE) recovery keys are, by default, sent to Apple if the user requests it. With this key, you can redirect those recovery keys to a corporate server.

FileVault Recovery Key Redirection payloads are designated by specifying com.apple.security.FDERecoveryRedirect as the PayloadType value. Only one payload of this type is allowed per system.

A site providing support for archiving the recovery key must implement its own HTTPS server. The client issues a POST request to the server with XML data in the request body containing the recovery key and serial number of the client computer. The server must respond with XML data echoing the device’s serial number and provide a RecordNumber, which can be any data that locates the recovery key.

The SSL certificate chain of the server is evaluated by the client, which must trust it. If needed, the configuration profile can include an additional certificate to set up a chain of trust.

Summary

PayloadType:com.apple.security.FDERecoveryRedirect
Supervised Only:
 N/A
macOS:N/A
macOS Deprecated:
 10.12.99
iOS:N/A
iOS Deprecated:N/A
Highlander:N/A

Keys

RedirectURL

Redirect URL

The URL to which FDE recovery keys should be sent instead of Apple. Must begin with https://.

Type Default Required Regex iOS macOS Supervised
string N/A always ^https://.*$ N/A N/A N/A

EncryptCertPayloadUUID

Encryption Certificate Payload UUID

The UUID of a payload within the same profile that contains a certificate whose public key is used to encrypt the recovery key when it is sent to the redirected URL. The referenced payload must be of type com.apple.security.pkcs1.

Type Default Required Regex iOS macOS Supervised
string N/A always ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ N/A N/A N/A